Practical Probability: Applying pGCL to Lattice Scheduling

Building on our published mechanisation of the probabilistic program logic pGCL we present a verified lattice scheduler, a standard covert-channel mitigation technique, employing randomisation as an elegant means of ensuring starvation-freeness. We show that this scheduler enforces probabilistic non-leakage, in addition to non-starvation. The refinement framework employed is compatible with that used in the L4.verified project, supporting our argument that full-scale verification of probabilistic security properties for realistic systems software is feasible.

[1]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[2]  Xun Gong,et al.  Information theoretic analysis of side channel information leakage in FCFS schedulers , 2011, 2011 IEEE International Symposium on Information Theory Proceedings.

[3]  Annabelle McIver,et al.  Abstraction, Refinement and Proof for Probabilistic Systems , 2004, Monographs in Computer Science.

[4]  Colin J. Fidge,et al.  But What if I Don't Want to Wait Forever? , 2003, Formal Aspects of Computing.

[5]  Gerwin Klein,et al.  Secure Microkernels, State Monads and Scalable Refinement , 2008, TPHOLs.

[6]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[7]  Toby C. Murray,et al.  Extensible Specifications for Automatic Re-use of Specifications and Proofs , 2012, SEFM.

[8]  Pasquale Malacaria,et al.  Quantitative analysis of leakage for multi-threaded programs , 2007, PLAS '07.

[9]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[10]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[12]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[13]  Annabelle McIver,et al.  Probabilistic guarded commands mechanized in HOL , 2005, Theor. Comput. Sci..

[14]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[15]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[16]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[17]  Annabelle McIver,et al.  Abstraction, Refinement And Proof For Probabilistic Systems (Monographs in Computer Science) , 2004 .

[18]  David Cock,et al.  Verifying Probabilistic Correctness in Isabelle with pGCL , 2012, SSV.

[19]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[20]  Brian Campbell,et al.  An Executable Semantics for CompCert C , 2012, CPP.

[21]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[22]  Marieke Huisman,et al.  Scheduler-Specific Confidentiality for Multi-threaded Programs and Its Logic-Based Verification , 2011, FoVeOOS.

[23]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[24]  Annabelle McIver,et al.  An Expectation-Transformer Model for Probabilistic Temporal Logic , 1999, Log. J. IGPL.

[25]  William E. Weihl,et al.  Lottery scheduling: flexible proportional-share resource management , 1994, OSDI '94.

[26]  Bernhard Beckert,et al.  Formal Verification of Object-Oriented Software - International Conference, FoVeOOS 2010, Paris, France, June 28-30, 2010, Revised Selected Papers , 2011, FoVeOOS.